From a1898cf710c87a6ad2ef0816319a9497c6d61d87 Mon Sep 17 00:00:00 2001
From: TKE <tobias.kessels@certbw.de>
Date: Wed, 2 Jun 2021 11:13:29 +0200
Subject: [PATCH] Added sleuthkit folder extraction

---
 extractfolder.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 extractfolder.py

diff --git a/extractfolder.py b/extractfolder.py
new file mode 100644
index 0000000..172ff6d
--- /dev/null
+++ b/extractfolder.py
@@ -0,0 +1,23 @@
+import subprocess
+import sys
+
+image=sys.argv[1]
+inode=sys.argv[2]
+
+
+output = subprocess.check_output(f"fls -F {image} {inode}", shell=True)
+
+output=output.decode()
+result = {}
+for row in output.split('\n'):
+    if ':' in row:
+        key, value = row.split(':')
+        idx = key.split(" ")[-1]
+        fsid = idx.split("-")[0]
+        result[fsid] = value.strip()
+
+for fsid in result:
+    print(f"Writing Inode {fsid} -> {result[fsid]} ")
+    outfile=open(result[fsid],'w')
+    subprocess.run(["icat", image, fsid],stdout=outfile)
+